From af785ea1f3bbc2407deec30f2ad82ea80db873d1 Mon Sep 17 00:00:00 2001
From: Adrian Johnson <ajohnson@redneon.com>
Date: Tue, 11 Oct 2016 23:05:53 +1030
Subject: [PATCH] Fix integer overflow

https://bugs.freedesktop.org/show_bug.cgi?id=98165
---
 src/cairo-png.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/cairo-png.c b/src/cairo-png.c
index 562b743..87e5bae 100644
--- a/src/cairo-png.c
+++ b/src/cairo-png.c
@@ -213,7 +213,7 @@ write_png (cairo_surface_t	*surface,
     }
 
     for (i = 0; i < clone->height; i++)
-	rows[i] = (png_byte *) clone->data + i * clone->stride;
+	rows[i] = (png_byte *) &clone->data[i * (size_t)clone->stride];
 
     png = png_create_write_struct (PNG_LIBPNG_VER_STRING, &status,
 	                           png_simple_error_callback,
@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure)
     }
 
     for (i = 0; i < png_height; i++)
-        row_pointers[i] = &data[i * stride];
+        row_pointers[i] = &data[i * (size_t)stride];
 
     png_read_image (png, row_pointers);
     png_read_end (png, info);
-- 
2.1.4